I have Ubuntu Server running and I am setting up a separate directory as a cgi-bin. I have the directory ready and I changed the file for the site. However, to get it to work, I need to change the permissions of the Python script I have in the folder so that Apache can execute it. However, I don't want to give write or execute access to ANYONE other than root, me and Apache. I'm assuming this is possible, but how can it be done?
Add a comment |
2 Answers
chown the files to whatever your Apache group is called (Usually www-data) and set permissions to only give user/group permissions:
chown -R www-data:www-data /path/to/cgi-bin chmod -R 764 /path/to/cgi-bin That sets it so only the www-data user and group can write the file, and only the www-data user can execute the file, everyone can read.
- Thanks, I tried it and received no error. How would I go about checking that nobody other than the www-data can access the CGI? Also, is there any way to do this for ALL files in the folder and all files that will later be put into this folder? Like running those commands on the cgi-bin directory?Lenny K– Lenny K2011-05-23 01:23:46 +00:00Commented May 23, 2011 at 1:23
- Easiest way would be to
suinto another user (Someone other than root) and try running the CGI, if you get an error (Something like 'Permission denied') then everything is OK.user80776– user807762011-05-23 01:33:29 +00:00Commented May 23, 2011 at 1:33 - I don't think you can set permissions for files that don't already exist in the directory, but the -R flag means Recursive so it will apply to every file in that directory, but the files have to be already there.user80776– user807762011-05-23 01:34:20 +00:00Commented May 23, 2011 at 1:34
- Okay, thanks. One more question - why set the permission to 764? www-data isn't the owner of the file...or is that what the first line of code does? Please explain the first line of code.Lenny K– Lenny K2011-05-23 11:10:47 +00:00Commented May 23, 2011 at 11:10
- Line one, chown (condensed from 'change owner'), changes the owner of the file to the user www-data and the group www-data. Generic command is something like
chown [flags] user:group /path/to/file. The second line, chmod, changes the permissions of the file. The files are now owned by www-data user and group so the perm string is 7(User can read, write and execute)6(group can read and write)4(anyone else can read). The -R flag in both commands tells it to be recursive, so you can use a directory instead of a single file.user80776– user807762011-05-23 11:15:36 +00:00Commented May 23, 2011 at 11:15
Two ways jump to mind. First, you could create a group with you, root and apache in it and change the group ownership of cgi-bin to that:
groupadd web usermod -a -G web $USER chgrp web /path/to/cgi-bin && chmod -R 774 /path/to/cgi-bin Alternatively, you could use ACLs to just add execute permissions for apache:
setfacl -m d:u:apache:rwx /path/to/cgi-bin This will allow apache to execute any file under cgi-bin, but you'll need to have ACLs enabled on the filesystem and they're sometimes easy to miss when looking at files and directories.
You can enable ACLs by modifying your filesystem defaults and remounting the filesystem:
tune2fs -o acl /dev/root/device mount -o remount,acl / A file or directory with an ACL attached will have a + at the end of the ownership mode in the output of ls -l:
drwxr-xr-x+ 2 username group 4096 May 21 21:58 tmp 